3DS2

3DS2 is the authentication protocol that determines whether an e-commerce transaction is processed frictionlessly or requires a cardholder challenge. For merchants and operators, 3DS2 performance — specifically the frictionless rate and challenge completion rate — directly determines the conversion cost of fraud prevention.

How 3DS2 Works

The 3DS2 flow has two possible paths:

Frictionless flow: The merchant’s 3DS2 SDK sends a rich data payload (device fingerprint, transaction history, behavioral signals, billing/shipping data) to the issuer’s Access Control Server (ACS). The ACS processes this data through its risk model and returns an authentication response without requiring cardholder action. No friction, no impact on conversion, and the merchant receives a liability shift.

Challenge flow: When the ACS determines the transaction is high-risk (or regulatory requirements mandate it, as under PSD2), it requests a challenge. The cardholder must complete a step-up authentication — most commonly OTP via SMS, biometric via mobile banking app, or in-app push notification. Challenge completion rates vary from 55–85% depending on market and channel.

The Liability Shift

3DS2 liability shift is one of the most commercially significant features: when authentication is completed (frictionless or challenge), fraud chargeback liability moves from the merchant to the issuer. This means the issuer — not the merchant — absorbs the loss if a fraudster completes an authenticated transaction.

Merchants operating without 3DS2 are responsible for all CNP fraud chargebacks. Merchants with 3DS2 implemented and successful authentication are protected — even if the fraud occurs post-authentication.

PSD2 and SCA

The EU’s Payment Services Directive 2 (PSD2) mandates Strong Customer Authentication (SCA) for most e-commerce transactions above €30 in the European Economic Area. 3DS2 is the primary technical implementation of SCA for card payments. Several exemptions reduce challenge rates for low-risk transactions:

• Transaction Risk Analysis (TRA) exemption: For merchants with low fraud rates, exemptions apply up to €500.
• Low-value exemption: Transactions under €30 may be processed without SCA.
• Trusted beneficiary: Cardholders can whitelist merchants for SCA-free repeat purchases.

Optimization Levers

• Data quality: Sending the full 150-element payload (vs. minimum required fields) consistently reduces challenge rates.
• Exemption management: Actively applying SCA exemptions where eligible can recover 15–20 percentage points of frictionless rate.
• Challenge UX: Mobile-optimized challenge flows (biometric > OTP) outperform generic redirects.
• Issuer engagement: For large merchants, working with specific issuers whose BINs show disproportionate challenge rates can yield configuration reviews.